Thanks for the suggestions.
It turned out that I needed hairpin NAT (which I’d tried previously, but hadn’t configured quite right)
All the debugging tips were really helpful.
I don’t have access to any outside boxes to test the normal DNAT/port forward, so I ended up testing via a commercial VPN service.